User Shell Folders Registry Modification via CommandLine

calendar Jan 29, 2026 · attack.persistence attack.privilege-escalation attack.t1547.001 attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.

Sigma rule (View on GitHub)

 1title: User Shell Folders Registry Modification via CommandLine
 2id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
 3related:
 4    - id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
 5      type: similar
 6status: experimental
 7description: |
 8    Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
 9    Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
10    This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.    
11references:
12    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-01-05
15tags:
16    - attack.persistence
17    - attack.privilege-escalation
18    - attack.t1547.001
19    - attack.defense-evasion
20    - attack.t1112
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith:
27              - '\powershell.exe'
28              - '\pwsh.exe'
29              - '\reg.exe'
30        - OriginalFileName:
31              - 'powershell.exe'
32              - 'pwsh.dll'
33              - 'reg.exe'
34    selection_cli_action:
35        CommandLine|contains:
36            - ' add ' # reg.exe modification
37            - 'New-ItemProperty'
38            - 'Set-ItemProperty'
39            - 'si ' # short for Set-ItemProperty
40    selection_cli_paths_root:
41        CommandLine|contains:
42            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
43            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
44    selection_cli_paths_suffix:
45        CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
46    condition: all of selection_*
47falsepositives:
48    - Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
49level: high
50regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
51simulation:
52    - type: atomic-red-team
53      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
54      technique: T1547.001
55      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b

References

Related rules

to-top